Risk Assessment —

Voice biometrics: coming to a security system near you

More secure than fingerprints and good enough to catch scammers: join us for a …

Big brother is listening to you

With governments and major private institutions beginning to collect databases of voiceprints, certain privacy concerns are inevitably raised. Michael Kramer, the CEO of Voice.Trust, described his own attempt to sell his company's voice biometrics software in France. It took 18 months of negotiations with French regulators, and it culminated in a meeting in Paris where Kramer was grilled by government officials about whether his company might ever provide voiceprints to the CIA or related entities.

In the US, similar questions might be asked of corporations, even those with strict privacy policies, in the wake of the phone companies' capitulation to the US government regarding phone records. Should an intelligence agency or even a police department find themselves with a juicy piece of audio evidence that they can't match up to a name, it doesn't require a huge imaginative leap to see that they might be tempted to secure private databases from banks and other institutions in order to find a match. While that doesn't sound too bad, it could eventually lead to government in possession of massive voiceprint databases that could identify a large percentage of US speakers.

Is that a bad thing? The answer to that might well depend on your politics. It would also be a ton of work for the government to do such a thing, since the various voiceprints would all be generated in different ways and stored in different formats. Consolidating them into some national database of speakers would require substantial time and energy and, quite possibly, cooperation from the five or six companies that design the core verification engines.

Can you hear me now?

Voice verification is here at last and poised to grow rapidly, but it's still a small market. All forms of biometric identification generated $2 billion of revenue in 2006, according to Dan Miller, a senior analyst at Opus Research—and half of that money went to fingerprint scanning. But voice, due to particular passages we've been discussing, has already won over ABN AMRO, Bell Canada, Ameritrade, the Australian government, Volkswagen Financial Services, and (of all things) the US Department of Agriculture.

Dan Faulkner, the director of product management and solution marketing at Nuance, tells Ars that his company's systems have achieved tuned errors of below one percent in real-world deployments with companies like Aeroplan, and other vendors reported similar results in their own deployments. When voice verification is text-dependent, this error rate is further reduced by orders of magnitude. The systems can be quite secure, but they do have their limits.

One of those limits is twins and even immediate family members, whose physiology may be similar enough to confuse the computer. Oliver Geiseler of Volkswagen Financial Services described his own company's use of voice verification for an internal help desk password reset application. Twins, it turns out, were able to defeat the system.

This isn't the sort of thing that keeps security researchers up at night, but it's a reminder that the systems aren't perfect and probably never will be. The hardest choice for companies that roll out the technology isn't finding a decent vendor or a robust implementation, but deciding how much risk they can tolerate, and how much frustration their customers will accept in the name of tighter security.